=== Kernel Sanitizers

Contact: Mark Johnston <markj@FreeBSD.org>

Work has been ongoing to port a pair of kernel sanitizers from NetBSD to FreeBSD.
Sanitizers are debugging tools which make use of compiler instrumentation to validate memory accesses.
They can automatically detect many classes of C programming bugs, such as use-after-frees and loads of uninitialized variables.
When combined with link:https://github.com/google/syzkaller[syzkaller] or other testing tools, they are effective at detecting kernel bugs that may otherwise require a great deal of manual effort to identify.

Two sanitizers are being ported, KASAN (link:https://clang.llvm.org/docs/AddressSanitizer.html[AddressSanitizer]) and KMSAN (link:https://clang.llvm.org/docs/MemorySanitizer.html[MemorySanitizer]).
KASAN checks the validity of all memory accesses within the kernel map and triggers a panic upon an out-of-bounds access or a use-after-free.
Various kernel memory allocators annotate regions of memory to denote whether corresponding accesses are valid.
The initial port of KASAN is complete and is planned to appear in the FreeBSD development branch in mid-April.
KMSAN detects uses of uninitialized memory and can detect bugs that result in the contents of kernel memory being leaked to userspace.
Both sanitizers incur considerable memory and CPU overhead.
They are intended to be used mainly in conjunction with test frameworks, though it is certainly possible to boot and run sanitizer-enabled kernels in a desktop or laptop environment.
Currently this work is amd64-only.
It should be possible to port it to arm64 and riscv with relatively little effort.

Future work in this area consists of finishing the KMSAN port, fixing bugs found by the combination of KASAN and syzkaller, and making sure that sanitizers can validate accesses to the direct map.
This may consist of an option to disable usage of the direct map, or introducing a shadow for the direct map.

Sponsor: The FreeBSD Foundation
